Firefox 68.0.2

One security fix and a handful of other bug fixes were released in the form of Firefox 68.0.2 on August 14.

The lone security fix closes a hole in the way Firefox handles saved passwords. Before Firefox 68.0.2, it was possible to extract password information from the browser’s encrypted password database — even when it was protected by a master password — without entering the master password. That’s a rather large and (at least to anyone who uses Firefox’s password store with a master password) disturbing security hole.

As always, you can wait for Firefox to update itself, or expedite things by navigating the browser’s ‘hamburger’ menu to Help > About Firefox.

Patch Tuesday for August 2019

It’s another day of updates, with the usual load from Microsoft, and a new version of Reader from Adobe.

Analysis of the monthly data dump from Microsoft’s Security Update Guide shows that this month we have fifty-two updates (with associated bulletins), addressing ninety-five vulnerabilities in Office applications, Windows, Internet Explorer 9 through 11, Edge, Exchange, SharePoint, and Windows Defender.

Twenty-nine of the vulnerabilities are characterised as having Critical severity, and all of the usual nightmarish potential impacts are represented, including Denial of Service, Elevation of Privilege, Information Disclosure, Remote Code Execution, Security Feature Bypass, Spoofing, and Tampering.

If you’re running Windows 10, there’s not much you can do to avoid these updates, although you can at least delay them. The risks associated with installing updates as soon as they become available are still arguably lower that the risks of delaying them as much as possible, or somehow avoiding them altogether.

In this particular case, however, you definitely should install the updates immediately. That’s because they include fixes for a set of dangerous vulnerabilities in RDS (Remote Desktop Services) in all versions of Windows, including Windows 10. Still not convinced? This month’s updates also include a fix for a terrible vulnerability in the Text Services Framework that’s existed in all versions of Windows since XP. The RDS and Text Services vulnerabilities were discovered very recently; no related exploits or attacks have been observed, but it’s a safe bet that malicious persons are working on exploits right now.

Anyway, as always, Windows Update is your friend. Your annoying, can’t-seem-to-shake-them kind of friend.

Adobe logoAdobe released updates for several of its products today, of which only Acrobat Reader presents a significant risk, because malicious hacker types enjoy embedding various kinds of nastiness in PDF files, pretty much every computer on Earth has Acrobat Reader installed, and most people with computers open PDF files without even thinking about the risk.

The latest Acrobat Reader (DC Continuous, which is the variant most likely to be installed on your computer) is version 2019.012.20036. It addresses at least seventy-six security vulnerabilities in previous versions. The release bulletin gives credit to a number of non-Adobe security researchers who discovered and reported some of the vulnerabilities.

You can check your version of Acrobat Reader by navigating its menu to Help > About Adobe Acrobat Reader DC. Also on the Help menu is the handy Check for Updates option, which is probably the easiest way to update Reader.

Chrome 76.0.3809.100

Google released another version of Chrome a few days ago, and it includes fixes for four security vulnerabilities. The change log is mercifully brief, but there’s also not much there of interest. The announcement for Chrome 76.0.3809.100 gives credit to non-Google security researchers for discovering two of the vulnerabilities.

Check your version of Chrome by navigating its ‘three dot’ menu to Help > About Google Chrome. If an update is available, you can install it from there.

Chrome 76.0.3809.87 – 43 security fixes

On Tuesday, Google released another new version of Chrome: 76.0.3809.87. The announcement highlights sixteen vulnerabilities, discovered by security researchers not employed by Google, that are addressed in the new version. There are forty-three security fixes in all.

Google has chosen not to highlight any other changes in Chrome 76.0.3809.87, so if you want to know whether anything important changed, your only option is to read the thirteen thousand, five hundred and forty-three entries in the full change log. Good luck with that.

Chrome, uh, finds a way to keep itself updated, and fighting against that is a never-ending and ultimately pointless exercise. What you can do is check your version and thereby trigger an immediate update, by navigating Chrome’s ‘three vertical dots’ menu (at the top right) to Help > About Google Chrome. That way you don’t have to wait for Chrome to update itself, which happens “over the coming days/weeks” according to Google.

Thunderbird 60.8: ten security fixes

Earlier this month Mozilla released a new version of its (still free, and still pretty good) email client, Thunderbird. The new version (60.8) includes fixes for ten security issues in earlier versions.

If you use Thunderbird, you can check which version you’re running by clicking its (‘hamburger’) menu button, and navigate to Help > About Mozilla Thunderbird. If a newer version is available, you should see a prompt to install it.

Java 8u221 – ten security fixes

If you still use Java, and particularly if Java is enabled in Internet Explorer, it’s important to keep it up to date. Security vulnerabilities in Java are still a somewhat popular target for malicious hackers and malware purveyors.

If you’re not sure whether Java is even installed on your computer, look for a Java entry in the Windows Control Panel. If you see one, Java is installed. The Java Control Panel has an Update tab that allows you to check for pending updates and install the latest version.

You can check whether Java is enabled in Internet Explorer by using that browser to visit Oracle’s Verify Java Version page.

This is what you should see on the Verify Java Version page if you are using IE and Java is up to date.

Oracle issues quarterly updates for a wide range of software products, and that includes Java. The July 2019 update describes ten security vulnerabilities that are addressed in the latest version of Java, 8 update 221.

Chrome 75.0.3770.142

Two security fixes for Chrome were released earlier this week in the form of Chrome version 75.0.3770.142.

The change log for Chrome 75.0.3770.142 lists one hundred and twenty-eight changes in all, but other than the two fixes for security vulnerabilities, none of them are particularly interesting.

By default, Chrome will update itself in the days following a new release. You can encourage it by navigating its ‘three dot’ menu to Help > About Google Chrome, where an option to update will be shown if one is available.

Firefox 68.0

There are at least twenty-one fixes for security issues in the latest Firefox, version 68.0. If Firefox is your browser of choice, and it prompts you to install this update, you should let it proceed. If Firefox’s automatic version checking is disabled, you can always wake it up by navigating the ‘hamburger’ menu to Help > About Mozilla Firefox.

Other changes in Firefox 68.0 include the spread of “Dark mode in reader view” into the surrounding browser interface. Blecch. Well, it’s not for me, anyway.

Extension management, via the about:addons page, is improved in the new Firefox. It’s now easier to report security and performance issues with extensions and themes. It’s also easier to get detailed information about extensions. And there’s a new section that provides extension recommendations.

The release notes page for Firefox 68.0 has more information.

Patch Tuesday for July 2019

Microsoft’s Security Update Guide provides the raw material for understanding each month’s pile of patches, but it’s not exactly easy to use in its current form. I use the almost-hidden Download link to the far right of the Security Updates heading about halfway down the page. The downloaded file is an Excel spreadsheet, which I find much easier to navigate that the SUG site. Your mileage may vary.

This month, Microsoft has issued sixty-seven updates and associated bulletins. The updates address seventy-eight vulnerabilities in Windows, Internet Explorer, Edge, Office, Office Services and Web Apps, Azure DevOps, Open Source Software, .NET Framework, Azure, SQL Server, ASP.NET, Visual Studio, and Microsoft Exchange Server.

The vulnerabilities range from Moderate to Critical in severity, and they can lead to one or more of the usual horrors, including Denial of Service, Elevation of Privilege, Remote Code Execution, Information Disclosure, Spoofing, and Security Feature Bypass. Brrrrr.

Release Notes for July 2019 Security Updates

By far the easiest way to install all these updates is to let Windows Update do the work. Of course to some extent that means trusting Microsoft not to hose your computer, so there’s that. My current thinking is that I’m willing to trust Microsoft to do this, as long as they at least give me a way to roll back any faulty updates.

Adobe released some security updates to coincide with Microsoft’s patch cycle, but none for the ubiquitous Flash Player or Acrobat Reader.

Firefox 67.0.3 and 67.0.4

Over the last few days, two new versions of Firefox were released, each addressing a single security vulnerability.

Firefox 67.0.3 fixes a critical flaw in the way Javascript objects are handled that can allow exploitable crashes. Targeted attacks in the wild are actively abusing this flaw.

Firefox 67.0.4‘s fix is for an as yet unexploited flaw that could potentially result in executing arbitrary code on the user’s computer.

Both vulnerabilities were reported to Mozilla by non-Mozilla security researchers.

You can wait for Firefox to update itself, or nudge it along by visiting Help > About Mozilla Firefox in its menu, found by clicking the hamburger button (hamburger) button in the toolbar.

News for me, stuff that matters… to me. Windows, Linux, security, tools & miscellany.